Posted
by
Unknown Lamer
on Wednesday December 28, 2011 @02:19PM
from the forecast-is-for-doom dept.

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well."
As of posting, Stratfor's website is still down.

The credit card numbers they stole and exposed were used to make over one million dollars worth of "donations" to different charities like Red Cross, Save the Children and CARE. Good job Anonymous!

Except that they were all reversed with chargebacks, which not only took back all the money given, it actually cost the charities around $250 000 in chargeback fees which are now off from what other, legit people donated. Awesome job there! Idiots...

I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.

Do you really think that it will be banks covering the costs? That never happens. It's always the merchant. Charity or not. The 250,000 comes from my knowledge of chargeback fees being $25-40 for merchants. With around 10,000 current credit cards exploited, I actually took the lowest possibility of $25 per chargeback and didn't even account for multiple donations per card. The fees can be much higher too, but it is at least $250,000.

And this (the merchant getting hit for fraud and banks raking up the pizzo [wikipedia.org]) coupled wit deregulation is why the banks will never invest in development of less fraud-prone electronic transaction mechanisms. For fuck's sake, they're running rackets and we're bailing them out on a daily basis.

In this case, it would be good PR for a bank to cover it for the charities. Heck, the banks could probably even write it off as a donation.

Good PR? Give me a break. Banks don't give a rats ass about PR because they mostly 0wn this planet, and there is literally nothing that will stop them from 0wning it more. I mean, they seriously damaged the world economy, put lots of people into excruciating hardship in the US, and there they are. PR didn't really play a role in this.

I know that guy, he's pretty good. He wwebsite as on the internet when you were a sperm in your daddys balls, and is a good friend of Cliffy B, Scott Lowe, the guys from Penny Arcade and the mayor of Boston.

The only way someone gets bankrupted is if they didn't validate the cards properly.

Now validation costs money to do properly, but failing to validate can cost a lot more. It is like $0.30 plus staff time to do proper validation vs. $25 or $35 to deal with a chargeback.

See, validation makes sense, especially if you are subject to lots of fraud. Anytime a credit card number is taken on the Internet you can assume at least 20% of the entries are fraudulent and you better handle that - because if you submit m

When you sign up for a merchant account , you are contracting with a "merchant services provider". They are the ones that are handling the credit card transaction processing. When you get paid, they put money into the transfer account as per your agreement - then a bank is involved. Until the, you are dealing with a reseller (probably) and some place like First Data which is not in any respect "a bank".

You might be able to get your merchant services provider to back off on some massive fraud and not charge you the full $25 for each and every single chargeback. However, a lot of this is dictated not by your merchant services provider and not even by First Data but relates to the fact that people get involved at both the bank (where your money got put) and also with the customer card accounts themselves. When First Data processes a charge in error and it shows up on some poor customer's statement, they likely have to pay a service fee to the customer's credit card processing company to get the charge taken off. Now that might be a bank.

So the likelyhood of getting the charges waived is pretty low. It costs real money to screw with credit cards and if you aren't properly valididating the transactions - before submitting them - you are going to run up some big bills. Did these charities do proper validation and find out they were being scammed? Hope so, because then it would not have cost them anything. If they ran the charges through, they are likely going to have to pay.

Excellent representation of the processing of transactions. Most people don't realize that processing of credit card transactions in the US don't really involve banks other than authorizing of the transaction (meaning there is either money in a checking account for debit cards typically or credit available on a credit account) and acting as the receiver of the transfer for the merchant once the transactions are settled.Interested in a job:)

It doesn't matter if they're a charity or not. They may have managed to talk the bank out of some of the fines, but that'd be about it.

One place I worked, which did high volume CC transactions, the typical sale was $25. A chargeback resulted in the bank taking back the full amount ($25) plus fine ($35).

We worked hard to avoid chargebacks. As I recall, you can lose your merchant account if you exceed 1% chargebacks. Before the chargeback is done, the merchant is given a "chargeback notification". At that point, we can dispute, refund, or ignore it. Since we were an online company, we didn't have a physically signed receipt to prove that the person was actually the purchaser.

With a signed receipt and someone to confirm that they visually verified the identification, you can dispute.

We opted to refund, and cancel their account. That way, we simply didn't make the value of the sale, but there were no fines applied. So +$25 on the transaction. -$25 on the refund. $0 total.

Typically, the consumer would call first, before the chargeback. We'd assist them in finding out the details of the transaction. We'd give them the time, date, information about the IP, and email address used with it. Most of the time, we could positively say that the transaction occurred in their location (by the IP and ISP). They'd recognize the email address as belonging to someone else in their household. If they wanted, we would cancel the account and refund the full amount. I'd say refunds occurred about 50% of the time. They'd talk to their family members, and find out that they had done the transaction, the card holder just didn't know, but they allowed it anyways.

For us, it didn't matter that much. We handled millions of dollars a year. Who cared about a few dozen refunds in the same period. It was cheaper to refund and make the consumer happy, than dispute and risk incurring the fines, and risking our merchant account status.

I know people will stolen card information will test it by donating a small amount to charity. People won't generally notice a $1 or $5 charge on their card, if it's frequently used. They'll catch on when the card is used the second time for a high dollar transaction. The idea of the test transaction is only to verify the card. It's easy, and they don't have to provide a valid delivery address for merchandise. They aren't doing it out of good will, they're exploiting the system a bit more.

I can't say if they do or not. It's really up to them how they manage things. They may try to play hard ball, to avoid "buyers remorse". It may feel good to donate a bunch of money. The person may realize later that it was more than they could afford. If they confirm that the purchase was legitimate, it becomes a more difficult task to get the chargeback. I say difficult, but not impossible.

We just chose to take the path that is best for the customer. We'd rather please the consumer, who

After 10 years working in the credit card industry I can tell you that banks rarely pass up and opportunity to hit merchants with fees and charities are nothing more than merchants to them. The theory they go by is that merchants should be able to tell what transactions are fraudulent but really it's just an excuse to charge for the trouble of having to deal with charge backs (and make a little extra money on the side)

That's kind of messed up. If I were the banks... I'd try to find some way to 'forgive" that or charge the whole incident to the credit card fraud department. Credit cards charge such high interest in part to pay for such things. Just tap that fund for this and leave the poor charities alone.

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

Why the hell did Stratfor store credit card numbers in plain text ?They totally deserve what happens to them, I hope they'll have to pay all charges for the credit card changes.This is not the first time a company has this kind of problem, but we are now (almost) in 2012, so this problem should have disappeared a long time ago.Did they audit their security ? It's pretty sure, but they probably didn't show their custom modules, so it's totally their fault here.

Because they are a useless parking lot for political "science" graduates that can't get a job anywhere else but are handy as campaign workers each election. When is the USA going to wake up and understand that the "think tanks" are full of rejects instead of experts.

Anonymous is nothing more than a bunch of irresponsible children. What the fuck is up with targeting Stratfor? It's not some shadowy clandestine service, it's just a think tank formed by a former politics professor that does analysis. Now, I suppose if your entire worldview is informed by children's cartoons and Hollywood blockbuster movies, that's enough to make them the "baddies" and you the "goodies", but the world doesn't really work that way. Let me explain this to you Anonymous children in terms you can understand: if Batman is walking down the street and sees a guy with a strange costume, he doesn't just beat the shit out of the guy. He goes back to the Batcave, and does his homework, and does some sleuthing, and only after he has figured out that the guy is, in fact, engaged in criminal behavior, *then* Batman beats the shit out of him. See, if you break the law to stop a criminal act, then you're a vigilante. Like Batman. But if you break the law and attack people when you don't have any evidence that they are engaged in criminal activity... then you're not Batman. You're just a fucking criminal.

The irresponsible children bit is ruined slightly by writing about Batman as if he's real:)From one perspective parasitic noisemakers that pretend to be far more than they are such as "think tanks" are an obvious target for people that want to stir up trouble and not get hurt. By pretending to be like a competent well staffed intelligence bureau without actually having the resources of a small newspaper they would look like a juicy target to somebody that would really like to give the CIA or NSA some emba

Money out of the Red Cross' coffers means they've got less money to waste on things like suggesting online gamers are committing warcrimes. That's between wasting money suing games companies who dare use the red cross on health packs and stuff too.

Money out of Save the Children's coffers means they have less money to continue to campaign for web censorship.

storing credit card numbers attached to account data doesn't sound like intelligence community, sounds more like some douches who went out to find some guys and said "hey you're really smart! give us your cc number and some cash!" to some slobs they found.

real funny shit is how "TEH OFFICIAL ANONYMOUS" is claiming they didn't do it, which is a bit of a what the fuck too, don't they realize they're anonymous - there's no core, there's no agenda, if you don't like it form a hacking group like lulzsec.

You must not have any credit cards, then. I haven't had any credit cards (and I have a dozen) that are not renewed with the account number intact. The expiration date is bumped ahead by some predictable number of months (12, 24, 48, etc), and that's it. Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date. You should get it right on 3rd or 4th try at worst. You can then cache the initial expiration date delta with the first 4 digits of the account number as the cache lookup key.

If they stored CVV, they'd be in a hell of a lot of trouble. PCI compliance requires not storing the CVV.
However, as stated earlier, a lot of places don't require CVV. *None* of the cards should have CVV stored, so there's no real difference between expired and unexpired.

Each time I've had any new car the 3 CVV digits on the rear changes too.

With all my debit cards, the last 4 digits of the card changes each time too.

Also, I don't think I've ever had a debit card for it's full term. My banks always sent me out a new card before the old one expires for various reasons such as adding chip and pin, adding contactless payment tech, or this time simply for "security reasons" without elaborating what they are.

I don't think I've even ever had a credit expire on it's given date and

You're right as to debit cards, I had same experience with those. They seem somehow different from credit cards as far as reissuance is concerned. For credit cards, they had simply sent me new ones a couple months before the expiration date, and they'd usually have new expiration = old expiration + 36 months.

Where I live, when your card expires, you just get a new one with the same card number but a few years added to the expiration date. Wouldn't this allow the attackers to reuse some of the expired cards?

I'm wondering what's the biggest risk with passwords: having it hacked and either stored decrypted or decrypted later, or having someone guess it? I'm starting to think it's the former, which makes me think there's no point in super complex "try and guess THIS one!" passwords.

Passwords are of course useful but not without their flaws, and they've been around so long that their flaws are long identified. Super complex passwords help for things like hard drive encryption, etc; where brute force is the only viable means of access.

Don't use passwords if possible! Especially on your public web Linux server, unless they're at the application-level and protected by TLS/SSL.
SSH daemon should only respond to key-based authentication queries, and furthermore iptables should lock do

Huh? I was referring to webservers where you don't have physical access and can only be hacked remotely. Of course no one would suggest having no password on your laptop, rather, your laptop should have full disk encryption if possible with a password. Using keyfiles from a smartcard and a password for that is even better.

You've misunderstood. Once a thief has possession of a laptop and can log onto that (sometimes by depressingly simple methods) they are then possibly one click away from getting into those remote webservers because the laptop has the key. That's why I wrote above "VPN or similar passwords" because I was writing about logging into remote systems just as you were.Now within the same physical environment as the servers I sometimes do exactly what you've suggested, but offsite I'm very reluctant to have some

I think we're misunderstanding each other. In proper SSH key configurations, the key itself has a passphrase, although this passphrase is not a 'password' in the typical sense in that it is not transmitted to the server. It's only using for decrypting the file in place.

Essentially what I was trying to say is that passwords only do so much, but should be used in combination with another means of security (e.g. two factor auth). I suppose "don't use passwords if possible" can be interpreted as simply "d

You wrote "Don't use passwords" so I took your word for it and assumed that you also meant not using a passphrase with the key. I'm glad you've written the post above because the earlier post taken at face value looked like very bad advice.

You're mostly correct - you are mentioning the problem with having a "Global Secret". In that sense, a personal password is little different than a "Global Secret" that hasn't been distributed, yet.

The larger issue is almost always endpoint security, though. Endpoints are *both* ends - your local PC, and the server at the far side. In this case, the cost of engineering a competent solution was more than the cost of a compromise - the bulk of the cost of this hack will be paid by anyone BUT Stratfor execs

Use unique passwords for everything important and use a secure but salted password for various sites. Let's say my generic secure password is $sJ55Pm#

I salt the secure password between the fives with the initials of the website alternating caps. So my/. password could be $sJ5Sd5Pm# and my World of Warcraft password could be $sJ5WoW5Pm#.

I only have to remember one good password and a formula. Someone clever enough could hand analyze the passwords and might spot the salting but realistically, very few people are worth that effort.

which makes me think there's no point in super complex "try and guess THIS one!" passwords.

One practices good password habits because they help when a site does things properly. Nothing is going to save you if a site is terribly set up but that doesn't mean you should abandon best practices.

Alone, alternating caps adds next to no security. It is one of a number of well-known predictable ideas which are cheap to test for, so the attacker will try them. It only takes three times as long to test the root plus both series of alternating caps as it does to test just the all lower case root. Using leet speak (sorry, 133+ speak) is not of very much use for the same reason.

Well, yes, that's why I specified in this theoretical example that the salt was the initials of the website with the caps alternated. One needs the salt (which, yes, is not a true cryptographic salt, although I do know people who run their generic secure password plus a salt through hash algorithms and use the resulting hash as their password) to be memorable to the user and again, virtually no one is important enough that someone would sit there pulling apa

The advantage of "try and guess THIS one!" type password is not only are they hard to guess, but if they are long enough and hashed properly (SHA1 or similiar) they cannot be unercrypted. (Presuming that the decrpyting party does not have access to a super computer). This is due to the fact that these passwords go through a one-way type hash, thus the only way to crack them is having a list of every single possible hash and its key (or generating such a list). So if one has a password that is 27 characters

For anything that could cost you money, your job etc you want passwords that you can remember and that are hard to crack even if somebody has a copy of/etc/shadow or similar:http://xkcd.com/936/More importantly, don't reuse passwords that you put on anything important. Some idiot may store them in plain text on a blog site, dropbox authentication or whatever useless bunch and then a cracker could use them to get into your bank or wherever else you've used the password.Now even Facebook passwords could be

I wrote, and rewrote, and rewrote a long and subtle post on the value of contemplating the underlying forces acting in society that lead to events like this, rather than jumping to adulation or condemnation. I came to the conclusion that I could not make it clear that I was advocating contemplation, not support or opposition. That all I would get in response would be some twit turning my post into a straw man then hurling rhetorical vitriol at it.

In any case, if it's "corporate" email it's probably trivial or ephemeral, concerned with administrative minutiae or the perpetual re-editing of "reports" as if they were something of great value. Out of 200Gb I would expect perhaps half a dozen emails containing something interesting, salacious, or actionable (perhaps all three:-) and that kind of hit rate is barely worth the trouble of pwning their server.

The reason the authorities can't catch anonymous is that they're all chicks! They go around acting like nerd groupies fawning over admins in a socially engineered hack where they get the root password from the unsuspecting admin. The authorities can't catch them because the only description they get from the admin is "she was purty and soft".

The -15 tells you the patch level. 2.2.15-15.el6.x86_64 was issued this month. As long as Redhat supports RHEL6, and that will be for a goodly number of years more, they will issue security and other patches. For example, their kernel is presently 2.6.32-220.2.1.el6.x86_64, but they track and backport not only the latest security patches but also a lot of hardware support and new feature improvements.

Well, thanks for the info. I haven't touched a RPM based distro in about 10 years, too much RPM hell with shared libraries and nonworking compilers on RH distros. Forgot about their tendency to backport, thereby creating dependence on RH.

I don't use anything that doesn't just pass on the upstream, so I wouldn't know.

I'd rather just have the Apache (or whatever) release and not have to deal with the delay and potential for problems associated with someone else modifying and redistributing the upstream. The idea that, if I don't like the package maintainer's speed or choices, that I can just grab the upstream directly, compile, and slide it into my distro with minimal reconfiguration is fairly appealing also.

You can't moderate AND post. Slashdot doesn't allow that. It is impossible for anyone to explain why they moderated any particular way.

Moderation is largely about your presentation of your argument, which is earning you a lot of that mess. It still looks like you cherry-pick the facts that are convenient for your argument, regardless of whether you're actually doing so. There are undoubtedly facts that don't make your argument look as solid. That's what I'm asking: do you, or don't you pay attention to the

As another hacked reader, yeah I'm unhappy about this too. Considering that I was donating to wikileaks before, this is just painful.

Stratfor's just come out with their email, 8pm, not great, but here we are. They've done the standard 1yr prepaid monitoring service for identity theft.

I looked around to verify that my CC was actually breached (who knows, maybe it was a card I've already canceled?), but all the primary copies of the CC list seem inaccessible. It'd be lovely if they were taken down before I